When we developed the security rules for Qlik Sense, I didn’t anticipate the wide adoption of these for defining new administrative roles in the QMC. But now that Qlik Sense has been in the market for a while we can see that the need for distributing administrative tasks to users is something that is widely needed and used.
It is not strange that this is a requested feature as when we introduce self-service concept for the client why would you not want to have the same experience for administration.
So in this post I would like to share two tips and tricks that will help you create these distributed administration roles.
The first thing I’m going to cover is the general structure of defining an administration role.
There are three parts to an administrative role: Defining the role using rules, assigning it to a user and defining the scope they should be able to administrate.
To define who should be admin we can use things like custom properties, roles and user directory attributes. Each having its own pros and cons.
To define the role, you may need up to five rules. One each to define what you are allowed to read, create, edit and delete and then you need a fifth rule to define the sections in the QMC that the user is allowed to see. Sometimes you can collapse multiple rules into one, such as when the user is allowed to read and delete the same resources, then you only need one rule. The only rule that you should keep separate is the create rule, this will avoid some simple mistakes.
For the custom roles you often want to limit their scope by using some type of filter on resources. Typical things we see customers filter on is custom properties, streams, ownership and name. For example, to create a document admin you could filter on name of app or if you want to create a stream admin you will filter resources base on which stream they refer to.
You can find example roles in our documentation
The second thing I wanted to cover is that there are some common things that an administrator like to be able to do that require multiple permissions to resources. One example is duplicate. The table below should help you understand for what tasks multiple permissions are needed.
Adminstrative task | App | Stream | App.Object | Data Connection | UserSyncTask | ReloadTask | UserDirectory |
---|
Import | Create and Update | | | Create (if new data connection in the imported app) | | | |
Start UserSyncTask | | | | | Read | | Update |
Start Reload Task | Update | | | | | Read | |
Duplicate app in QMC | Read and Create | | Read (Otherwise App will be duplicated but only app objects that the user has read access on will be included on duplicated app) | | | | |
Publish app | Read and Publish | Read and Publish | Read (Otherwise App will be published but only app objects that the user has read access on will be published) | | | | |
Publish and replace | Read, Update and Publish | Read and Publish | Read and Update | | | | |
I hope that you found these tips on creating custom administrative roles helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post